feat(tazjin/nixos): issue wildcard cert for yggdrasil services

Issue a wildcard certificate using the Yandex Cloud DNS plugin (which is where
DNS for tazj.in is hosted).

Change-Id: I44fa48add660f4f4324ec4b056a81d78c45ff4f4
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12481
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2024-09-14 22:52:54 +03:00 committed by tazjin
parent e5edb3b192
commit adf8a7da87
3 changed files with 18 additions and 2 deletions

View file

@ -72,8 +72,22 @@ in
time.timeZone = "UTC";
security.acme.acceptTerms = true;
security.acme.defaults.email = lib.mkForce "acme@tazj.in";
security.acme = {
acceptTerms = true;
defaults.email = lib.mkForce "acme@tazj.in";
# wildcard cert for usage with Yggdrasil services
certs."y.tazj.in" = {
dnsProvider = "yandexcloud";
credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
extraDomainNames = [ "*.y.tazj.in" ];
# folder tvl/tazjin-private/default
environmentFile = builtins.toFile "lego-yandex-env" ''
YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
'';
};
};
programs.fish.enable = true;
@ -89,6 +103,7 @@ in
secretFile = name: depot.users.tazjin.secrets."${name}.age";
in
{
lego-yandex.file = secretFile "lego-yandex";
tgsa-yandex.file = secretFile "tgsa-yandex";
};

Binary file not shown.

View file

@ -13,4 +13,5 @@ in
"geesefs-tazjins-files.age".publicKeys = allKeys;
"miniflux.age".publicKeys = allKeys;
"tgsa-yandex.age".publicKeys = allKeys;
"lego-yandex.age".publicKeys = allKeys;
}